Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Network Telescopes Revisited
From Loads of Unwanted Traffic to Threat Intelligence
Piotr Bazydło, Adrian Korczak, Paweł Pawliński
Research and Academic Computer Network(NASK, Poland)
Who are wePiotr BazydłoHead of Network Security Methods Team [email protected]@nask.pl
Adrian KorczakNetwork Security Methods Team [email protected]
Paweł PawlińskiCERT [email protected]
mailto:[email protected]:[email protected]:[email protected]
Network Telescope
●Also known as darknet or blackhole.●Unused IP address space.
●No legitimate network traffic should be observed.
● First (?) & largest telescope (approx /8):
Network Telescope
In practice, we can see a lot of different activities:
●Misconfiguration of network devices/applications.
●Scanning.
●Backscatter from DoS attacks.
●Exploitation attempts (UDP).
●Weird stuff.
DoS attacks (backscatter)
What we want to achieve?
● Detect large-scale malicious events (botnets, exploits).
● Detect attacks on interesting targets.
● Track activities of specific actors responsible.
● Understand the dynamics (trends).
Problems
● How to group packets?
● How to classify them into events?
● How to find interesting events?
● How to identify actors?
● How to analyze trends?
Traffic going tonetwork telescope
Our approach
Stats:
~ 10 000 pps~ 25 000 000 000 packets per month80% = TCP
1. Monitored IPv4 space: > 100 000 addresses2. Analyze captured traffic every 5 minutes.
Parser up to L4 Parser L7
L7 payload
Traffic going tonetwork telescope
Two parsing scripts:
● Parser L4 – up to 4th OSI layer.
written in C++, uses libtins library.
● Parser 7 – parsing of 7th OSI layer.
written in python, uses dpkt library
Parser up to L4 Parser L7
Broker 1 AggregatorNAggregator
1 Broker ...
Initial aggregation
Aggregator ...
Redis
Traffic going tonetwork telescope
Parser up to L4 Parser L7
Initial aggregation
Redis
Analysis
Analyzer ...
Analyzer SIP
Traffic going tonetwork telescope
Analyzer TCP
Analyzer UDP
AnalyzerDNS
Analyzer amplifiers
Broker 1 AggregatorNAggregator
1 Broker ...Aggregator
...
Parser up to L4 Parser L7
Initial aggregation
Redis
Analysis
Analyzer ...
Analyzer SIP
Analyzer TCP
Analyzer UDP
AnalyzerDNS
Analyzer amplifiers
ElasticSearch
Traffic going tonetwork telescope
Broker 1 AggregatorNAggregator
1 Broker ...Aggregator
...
Case study 1 Botnet Fingerprinting
Botnet fingerprinting
Packets with SEQ = IP_DST
Botnet fingerprinting
Botnet fingerprinting
Botnet fingerprinting
Botnet fingerprintingIn total, about 45 000 unique IP addresses were identified.
Distribution of source IPs
Case study 2 Memcached
Memcached
Memcached
Github 1.3 Tbps DoS Reported 1.7
Tbps DoS
Memcached
Github 1.3 Tbps DoS Reported 1.7
Tbps DoS
Day 1 – 20.02 (first scan)
● Only 4 IP addresses
● Source: DigitalOcean, UK
● Duration: 25 minutes
● Constant source port per source IP
● One payload used (memcached statistics)
Day 5 – 24.02 (new actor)
● Only 1 IP addresses
● Source: AS 27176, DataWagon LLC, US
● Small hosting with anti-DDoS
● Randomized source ports
● New payload
● Scan lasted longer: 3 hours
And so on… Pre-GitHub scanners
● About 60 IP addresses.
● Several scanning patterns.
Distribution of source IPs
And so on… Post-GitHub scanners
● About 315 IP addresses.
● Multiple scanning patterns.
Distribution of source IPs
Looking deeper into packets
PGA● PGA = custom code to generate packets
● Improve DDoS Botnet Tracking with Honeypots, Ya Liu, 360 Netlab, Botconf 4th edition, Dec 2016
● Usually simple operations, examples● constant values
● byte swap
● incrementation
● Leaves patterns that can be used for IDS
● Our tool detects patterns and creates new signatures
2. XoR.DDoS PGA:
IP_ID = SPORT
TCP_SEQ[1:2] = IP_ID
1. Mirai:
TCP_SEQ = IP_DST
PGA examples
PGA example
Signatures everywhere
SYN FLOOD on IP belonging to Google – full of PGA signatures.
Signatures everywhere
SYN FLOOD on IP belonging to Google – full of PGA signatures.
32
1
1. SPORT = TCP_SEQ[1:2]
2. TCP_SEQ[3:4] = 0xFFFF
3. SPORT = IP_SRC[3:4]
Operations
Operational value of network telescopes
32
1
● Raw output from analyzers is not actionable (too many events)
● Scans → abuse notifications (automated for high confidence events)● PGA fingerprinting → Shadowserver remediation feeds● DoS attacks → situational awareness & alerts● Automated feeds provide limited “intelligence”
DoS b acksca tter f or the Polish IPv4 space
(color = PG
A fing erprin t)
Sharing threat information
32
1
● Automated distribution of abuse reports & IoCs
● Free
● > 100 active participating entities
● > 50 data sources
● Formats: JSON & CSV & more
Interested in getting the data?
32
1
● Network owners: send an email to [email protected] to sign up
● Usually working with national CSIRTs
Aiming for actual intelligence
32
1
● In-depth analysis of events extracted from the traffic
● insight into TTP
● more difficult to automate
● Anomaly / trend detection:
● forecast exploitation campaigns.
● new campaigns
● Attribute activities to botnets / actors
Future plans
32
1
● Combine network telescopes with other data sources
Honeypots, sandboxes, botnet tracking
● Research collaboration:
Looking for help in linking PGA signatures to tools / malware
mailto:[email protected]
This project has received funding from the European Union’s Horizon 2020 research and innovationprogramme under grant agreement No 700176.
https://sissden.eu
Slide 1Slide 2Slide 3Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42